Rebooting Computer Crime Part 3: The Punishment Should Fit the Crime

In the wake of social justice activist Aaron Swartz's tragic death, Internet users around the country are taking a hard look at the Computer Fraud and Abuse Act (CFAA), the federal anti-hacking law. As we've noted, the CFAA has many problems. In this three-part series, we're exploring these problems in detail and giving more explanation of our suggested fixes. For more details about our proposal for CFAA reform, seepart 1 and part 2.

As we've noted before, we suggest four basic penalty changes to the CFAA.1 As Aaron's case indicated, the CFAA's current broad language and draconian penalty scheme allow overreaching prosecutors to abuse their discretion. This can turn minor incidents with no real harm into serious criminal prosecutions, with the threat of long prison sentences and the consequences that go along with a felony conviction—like not being able to vote.

Our suggested changes aren't a get-out-of-jail-free card for computer criminals. Computer crime can be serious and law enforcement should properly investigate and prosecute those who use computers to cause financial harm and violate the privacy of others. But at the same time, punishments should fit crimes.

Our full reform proposal (which is still a work in progress) attempts to ensure the CFAA isn't used to target innovative uses of technology or violations of contractual restrictions, but still retains enough measured and proportionate punishment to deter malicious criminals. If we were able to start from scratch, we might change the law even more, but starting from the current CFAA we've suggested some modest amendments even the most anti-crime Congressperson should be able to support. Specifically on penalties, we suggest:

1. Computer Crime Law Should Not Double-Count Offenses

Along with former federal prosecutor and law professor Orin Kerr, we've suggested eliminating two provisions of the CFAA—§§ 1030(a)(3) and 1030(a)(4)—because they're duplicative of other offenses in the statute. Section 1030(a)(3) criminalizes accessing without authorization either (1) a computer used exclusively by the federal government or, (2) a computer used by the government in a way that affects the government's use of the computer. Meanwhile, § 1030(a)(4) makes it a crime to "knowingly and with intent to defraud" access a computer without authorization and obtain something of value as a result.

Striking these provisions is a good idea because the CFAA already criminalizes the same behavior elsewhere in the statute. Section 1030(a)(2)(B) says it's a crime to access a computer without authorization and obtain information from a department or agency of the United States, or access without authorization any "protected computer," a term defined so broadly that it reaches pretty much any computer. Plus, the conduct prohibited in § 1030(a)(4) is also prohibited by the wire fraud statute, 18 U.S.C. § 1343, which makes it illegal to use a wire communication to execute a fraudulent scheme. These duplicative sections allow prosecutors, as they did in Aaron's case, to stack up multiple charges against him for the same actions and thereby ratchet up the potential penalties.

Both § 1030(a)(2) and the wire fraud statute carry penalties that are just as serious as the two provisions of the CFAA that we support eliminating. In fact, the wire fraud statute has an even higher maximum punishment—20 years—than § 1030(a)(4).

2. "Repeat" Offenses Should Trigger Harsher Punishments Only if They Happen After a Prior Conviction

The CFAA currently imposes harsher penalties on individuals who violate the CFAA "after a conviction" for another CFAA offense. This makes sense: people who haven't learned their lesson the first time should be punished more harshly the second time. But because of the Supreme Court's decision in Deal v. United States, prosecutors and courts can leverage the same course of conduct in an indictment into multiple counts, thus increasing maximum penalties. That's precisely what happened to Aaron. In his first indictment, he was charged with four counts, facing a theoretical maximum punishment of 35 years, according to the government. But prosecutors later filed a superseding indictment, stretching those four counts into thirteen, meaning the additional CFAA counts were treated as repeat offenses although they were based on one course of conduct: accessing JSTOR over several days. And in turn that increased the maximum punishment to 50 years.

Our proposed changes would ensure that offenses actually have to happen after a person has been convicted and his sentence has been served before triggering the CFAA's harsher penalties for repeat offenders.

3. We Should Punish More Computer Crime Offenses as Misdemeanors, Which Still Have Serious Consequences

Although "felony" and "misdemeanor" are words that have entered the popular lexicon, they're often misunderstood. A "misdemeanor" refers to a crime that has a maximum punishment of one year or less. A "felony" can be punished by more than one year in prison.

EFF's proposal would make most offenses with little economic harm into misdemeanors instead of felonies, so that low-impact offenses that aren't coupled with other criminal behavior would still be criminally punished, but not effectively ruin someone's life.

Obviously, felony punishment should be reserved for more serious crimes. That's because in addition to longer prison sentences, felony convictions have major consequences, including the loss of the right to own a firearm and a loss of the right to vote in some states. Some felony convictions—including those involving fraud or deceit in which the loss to the victim exceeds $10,000—can get non-U.S. citizens automatically deported. Beyond this is the tremendous social stigma that comes with the label of "convicted felon." It's tougher to get a job or a mortgage or get financial aid for school with a felony conviction on your record.

That's why the CFAA's felony punishments should apply only to more egregious behavior.

But that doesn't mean individuals who commit minor violations of the CFAA that only rise to the level of a misdemeanor escape without punishment. A judge could still sentence a defendant convicted of a misdemeanor CFAA crime with up to one year in jail, as well as a fine up to $100,000. Misdemeanor defendants are also subject to a one-year term of supervised release following their release from custody. While on supervised release, defendants are under the supervision of a probation officer, who may require a defendant to report to a probation office weekly, restrict their ability to use a computer or access certain websites, and submit to home visits and drug testing. In some states, including California, individuals convicted of misdemeanors are stripped of their Fourth Amendment rights. Violations of supervised release conditions can land the person right back into jail. If the court wants to extend the period of supervision for a person convicted of a misdemeanor, rather than impose a prison term, the court can place the person on probation for up to five years, subject to strict conditions and the threat of a one year jail sentence looming over their head for violating probation.

Losing your freedom for a year is a big deal and probation terms can be onerous, especially for someone just starting out in life and beginning a career. Misdemeanors are serious, but can hopefully deter someone from heading down the wrong path without having a disastrous effect on the rest of their lives.

Under our proposal, felony punishments would still remain for those who:

gain unauthorized access to a computer for commercial advantage or private financial gain where the fair market value of the information obtained exceeds $10,000;

gain unauthorized access to a computer in furtherance of another felony, including identity theft, trade secrets, criminal copyright infringement or stealing classified government information;

cause damage to a computer if the damage (1) impairs medical diagnosis or treatment, (2) results in physical injury to any person, (3) creates a threat to public health or safety, (4) affects a U.S. Government computer used in the administration of justice, national defense, or national security, or (5) is done for commercial advantage or private financial gain and causes loss of more than $10,000.

Those convicted of these felony offenses will face a longer potential prison sentence starting from five years and going up from there, up to $250,000 in fines, and longer periods of supervised release following their reintegration into society. Plus, felony punishments would also apply to individuals who've previously been convicted of violating the CFAA in a separate case.

If we truly want to fix the CFAA, we need to ensure that the law's penalties are actually proportionate to the wrongdoing they're meant to punish. Please join EFF in calling on Congress to pass fix the CFAA by sending an email to your elected representatives now.

1. We also suggest removing the provision of the CFAA that ties civil liability and criminal liability together, something Professor Kerr advocates as well. Civil CFAA claims are generally redundant of other causes of action like breach of contract or trade secrecy. More importantly, much of the overreach of the CFAA comes from the broad interpretation of the law in civil cases that then creates broad criminal liability.

Related Updates

Good news out of the Ninth Circuit: the federal court of appeals heeded EFF’s advice and rejected an attempt by Oracle to hold a company criminally liable for accessing Oracle’s website in a manner it didn’t like. The court ruled back in 2012 that merely violating a...

The latest on the Computer Fraud and Abuse Act? It’s still terrible. And this year, the detrimental impacts of the notoriously vague and outdated criminal computer crime statute showed themselves loud and clear. The statute lies at the heart of the Equifax breach, which might have been averted if...

EFF, together with our friends DuckDuckGo and the Internet Archive, filed an amicus brief urging the Ninth Circuit Court of Appeals to reject LinkedIn’s request to transform the CFAA from a law meant to target serious computer break-ins into a tool for enforcing its computer use policies. The social...

EFF is fighting another attempt by a giant corporation to take advantage of our poorly drafted federal computer crime statute for commercial advantage—without any regard for the impact on the rest of us. This time the culprit is LinkedIn. The social networking giant wants violations of its corporate policy...

On November 4 and 5, the Internet Archive will host the Fifth Annual Aaron Swartz Day and Hackathon. Aaron would have turned 31 on November 8. The late activist, political organizer, programmer, and entrepreneur was a dear friend of EFF’s who made a lasting imprint on the Internet and...

Good news out of a court in San Francisco: a judge just issued an early ruling against LinkedIn’s abuse of the notorious Computer Fraud and Abuse Act (CFAA) to block a competing service from perfectly legal uses of publicly available data on its website. LinkedIn’s behavior is just the...

When McMansion Hell blogger Kate Wagner received Zillow’s letter last month demanding that she take down her architecture parody blog, she was scared. So scared that she temporarily disabled access to her blog via McMansionHell.com until she could find an attorney. We’re happy she found us at EFF...

Update 5:00pm: Zillow has released a statement saying the company has "decided against moving forward with legal action." EFF is pleased that Zillow has withdrawn its threat and won't be seeking to take down any of the posts on McMansion Hell. We hope that other companies seeking to shut...

Washington, D.C.—The Electronic Frontier Foundation (EFF) urged the U.S. Supreme Court to review a ruling that threatens to transform a law against computer break-ins into a mechanism for criminalizing password sharing and policing Internet use. In an amicus brief filed with today, EFF urged the court to weigh...

On January 18, 2012, the Internet went dark. Hundreds of websites went black in protest of the Stop Online Piracy Act (SOPA) and the PROTECT IP Act (PIPA). The bills would have created a “blacklist” of censored websites based on accusations of copyright infringement. SOPA was en route to quietly...